Thanks Travis.

On Thu, Sep 6, 2018, 11:34 AM Travis Schmidt <travis.schm...@gmail.com>
wrote:

> This PR (https://github.com/apereo/cas/pull/3493
> <https://github.com/apereo/cas/pull/3493_>) was merged into 5.3.x branch,
> and I think has been ported into some 5.2.x versions to try and address
> some of these issues.
>
> On Thu, Sep 6, 2018 at 9:20 AM Andrew Marker <atmar...@gmail.com> wrote:
>
>> I like the idea of a configurable timeout for mfa globally or mfa
>> provider-service level.  The other ideas related to being able to disable
>> it quickly or set discreet failure modes for populations and at the service
>> level (which i think we can do already?) are really nice features/value
>> adds.
>>
>> *Having the request marked as a failure if it takes too long will allow
>> the existing process/contingency to kick in. This, in my opinion is
>> critical.*
>>
>>  We never hit fail-open in the last DUO event we had because the duo
>> service never hung up.  The contingency that is in place never
>> materialized:  CAS 5.2.6 and CAS 5.2.7 are the versions in use when our two
>> DUO failures occurred btw.
>>
>> On Friday, August 31, 2018 at 11:01:37 PM UTC-5, baron wrote:
>>
>>> We're considering contingencies to MFA failures in light of recent
>>> service problems with Duo.
>>>
>>> We're currently still using CAS 5.0.x. I'm assuming the property of
>>> interest for us here is cas.authn.mfa.globalFailureMode. The documentation
>>> doesn't really make this clear, but specifically what MFA is/isn't
>>> "communicated to the client if provider" is unavailable for PHANTOM/OPEN
>>> modes? How does these differ from NONE?
>>>
>>> <
>>> https://apereo.github.io/cas/5.0.x/installation/Configuring-Multifactor-Authentication.html#fail-open-vs-fail-closed>
>>>
>>>
>>> We also MFA enabled for each registered service with the following:
>>>
>>>   "multifactorPolicy" : {
>>>     "@class" :
>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
>>>     "multifactorAuthenticationProviders" : [ "java.util.LinkedHashSet",
>>> [ "mfa-duo" ] ],
>>>     "failureMode" : "OPEN"
>>>   }
>>>
>>> I appears however, that setting cas.authn.mfa.globalFailureMode=NONE in
>>> cas.properties is not sufficient to disable/bypass MFA. I am still prompted
>>> for it. Should globalFailureMode in cas.properties take precedence over
>>> failureMode in the service registration, or vice versa? Or is this not the
>>> right way to achieve this goal?
>>>
>>> We are thinking that OPEN may not be desired in the rare cases where Duo
>>> may be technically available (how does CAS detemine Duo's availability?),
>>> but the service has degraded unacceptably.
>>>
>>> --
>>>
>> Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
>>>
>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f126146-db42-487e-9120-1e1de96eebdd%40apereo.org
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f126146-db42-487e-9120-1e1de96eebdd%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaO3jYH0_%2B2SUnvfbyMbKd45Paspi4ZK13k%3DwMamSu%2BXw%40mail.gmail.com
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEaO3jYH0_%2B2SUnvfbyMbKd45Paspi4ZK13k%3DwMamSu%2BXw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGGVe%2BEp5FMQ%3DHzOctqMcOSFWigTvA-S3Ui7j%2B4m06fEUEJURw%40mail.gmail.com.

Reply via email to